This case is very uncommon, so this is why by default ExtJS should encode every piece of user supplied data prior to displaying it, but have options to configure it to behave in insecure way just for...